Updates from May 2026

Two things landed today that change how greyout handles team access. Sign in with Google or GitHub instead of email-only, and onboard a whole team automatically by verifying your domain — no invite links to chase.

What's live

• Sign in with Google or GitHub alongside the existing magic-link flow. Pick the provider on the sign-in screen. First-time sign-in creates the account just in time, so a new colleague never sees a register form. Microsoft Entra is wired but disabled while Publisher Verification finishes on Microsoft's side — coming in a follow-up.
• Verified domains under Settings → Verified domains. Add your domain, place the DNS TXT record we hand you at _greyout-verify.<your-domain>, click verify. From that point on, anyone signing in with an email at that domain auto-attaches to your workspace at the role you choose.
• Members under Settings → Members shows everyone with access. Change a role inline from the dropdown. Remove access without leaving the page. The last owner cannot be demoted or removed — built-in safety rail so a workspace never ends up without an admin.
• Permissions under Settings → Permissions lets owners toggle what each role can do, per workspace. Defaults ship sensible — owners run the workspace, members operate monitors and acknowledge incidents, viewers see but cannot change. Override any of it when the team works differently.

What changed for you

If you have ever invited a teammate by sending them a magic link and then remembering to set their role afterwards, that workflow is gone. Set up a verified domain once and every new colleague who signs in is already in your workspace at the right role from their first second.

For solo accounts nothing changes. The magic-link flow continues to work exactly as before and you do not need to set up anything new.

Documentation

• Verified domains
• Members
• Role permissions

Two things landed this week. A new Blocklist monitor that checks whether your domain or sending IPs appear on the major email blocklists, and a fully fleshed-out Report tab for every other check type. The "ships in a future sub-PR" placeholders are gone.

What's live

• Blocklist monitor — Spamhaus ZEN, Barracuda Reputation, SORBS, SpamCop, URIBL and SURBL all queried in parallel every six hours. Listings surface in a dedicated Report with the exact zone that flagged you, what was queried (an IP or a domain), and the response code the blocklist returned. Most DNSBLs encode the listing reason in that response code, so the report tells you not just "you are listed" but "here is why".
• Per-check Report tabs — SSL, DNS, Domain expiry, Security headers, Broken links and Robots/sitemap now each open into a Report tailored to the check. Letter grades for headers. Drift detection with the previous fingerprint inline for DNS. Side-by-side reachability for robots.txt and sitemap.xml. Cert chain rendered as cards. Broken-links table with clickable URLs and status codes.
• Settings tabs on every check — read-only summaries of what each monitor is configured to do, including the cadence, scope, thresholds and baselines. Configurable forms for these settings land in later sub-PRs.

What changed for you

If you had monitors set up on anything other than Uptime, they were collecting data already but the Report tab was a stub. That changes today. Open any SSL, DNS, Domain, Headers, Links, Robots or Blocklist monitor and you see what the probe actually saw — not a placeholder telling you the data is on its way.

Documentation

• Agent MCP integration
• Blocklist monitoring

greyout is now agent-native. Any MCP-aware AI tool — Claude Code, Claude.ai, Cursor, Aider, custom — can connect with a single URL and run real monitoring workflows.

What's live

• https://mcp.greyout.io/mcp — hosted HTTP MCP server (Streamable HTTP transport, JSON-RPC 2.0) with auto-renewing TLS.
• OAuth 2.0 Authorization Server at app.greyout.io with three flows: Authorization Code + PKCE (browser MCP clients), Device Grant (terminal CLIs), Refresh Token (silent rotation).
• Dynamic Client Registration (RFC 7591) — clients self-register without a human in the loop on our side.
• Discovery via standard metadata documents: /.well-known/oauth-protected-resource (RFC 9728) and /.well-known/oauth-authorization-server (RFC 8414).
• Per-device permission management — grant or revoke individual scopes from Settings → Authorized devices without disconnecting the whole device.

What changed for you

The earlier per-token spending cap is gone. greyout's plans are subscription tiers (binary moves between Starter / Pro / Business), so a metered cap was complexity without product value. Billing actions are now gated purely by the billing:authorize scope — granted to a device only if you tick the box on the consent screen (off by default for safety).

Documentation

• How to connect an AI agent to greyout
• OAuth integrator notes

A heavy day — a lot of the redesign lands back-to-back.

Native probes

We replaced the third-party probe stack with our own:

• Native HTTP uptime probe.
• Native SSL certificate probe.
• Native domain expiry probe — no more upstream rate limits.
• The old dependency is gone from the codebase entirely.

Result: simpler architecture, faster probes, every checker is greyout's own code.

Scheduler split

The scheduler now runs on a dedicated workers host, separately from the web app. They never compete for the same minute of work — alerts dispatch from exactly one place.

Workspace overview

The org-level overview page is now a linear list of projects, sorted by worst-status, scannable in one glance.

Theme toggle

Light + dark themes, with an AA-pass light palette. System / Light / Dark settings stick in a cookie, and the inline boot script means no white flash on a dark-themed user's first paint.

Maintenance windows

Planned maintenance periods (one-off + recurring) — open incidents within a window are automatically suppressed and re-evaluated when it closes.

Monthly reports

Per-workspace monthly digest — settings, on-demand generator, and a scheduled dispatcher that emails each owner on the 1st.

Per-project notifications

Notification channels are now scoped per project rather than workspace-global. Plus per-channel opt-outs and per-project throttling so a noisy day on one project doesn't wake you for the others.

Public status badges

<img src="https://app.greyout.io/badges/<token>/uptime/large.svg"> — embed an at-a-glance status badge anywhere. SVG, no auth, no cookies, regenerable token if the URL leaks.